Jon Callas wrote:
I think we ought to keep it with the same algorithm number.
I'm happy to put in SHA-224 (meaning it's trivial work), but I don't
like it, myself. The reason is that SHA-224 is really a truncated
SHA-256. Thus, it has no advantages over SHA-256 except being smaller
by 32-bits with 112 bits of security. The reason it exists at all is
for crypto-balance with 2-key 3DES (which is not TDEA), which we don't
allow at all. I don't think we should have it as it goes against our
principles of wanting a minimum of 128-bits of security in OpenPGP.
(Yes, yes, I know that SHA-1 doesn't meet this either, but until
SHA-256, we didn't have many options. That doesn't mean the principle
is wrong; we *have* options.)
In general I'd agree that the less algorithms/lengths
the better. I'd certainly be keen to drop SHA-224 if
there is no good reason for it.
iang